GDPR Myths: 6 Security Details Workplaces Have to Get Right

By now many companies are starting to become aware of the new General Data Protection Regulation (GDPR), which will come into effect on May 25, 2018.

For companies that are preparing for the changes, it’s important to be aware of certain aspects of the regulation that need to be correct – and may not be due to misunderstandings and myths.

Here are 6 security details of the regulation that organisations have to get right.

Breach reporting: The regulation makes it mandatory to report a personal data breach if it’s likely to result in a risk to people’s rights and freedoms – and it really will depend on the risk it poses. A recent Information Commissioner’s Office (ICO) paper identified high risk situations as discrimination, damage to reputation, financial loss and other significant economic or social disadvantages.

Reporting deadlines: To be in compliance with the GDPR,a personal data breach that affects individuals’ rights and freedoms has to be reported no later than 72 hours after discovery. The paper emphasises that not all details are expected right away by the ICO. The information that matters most comprises of scope of the breach, cause, mitigation plan, and actions being undertaken to solve the problem.

Fines: Under the GDPR the ICO will have the ability to issue fines for failing to notify and failing to notify in time. Potential non-compliance fines can go up to 4% of a company’s global annual revenues. But the regulation is not just about fining companies. Fines can be avoided if companies take a transparent approach and comply with regulations.

Data security: Some companies have the impression that the regulation has been created to punish organisations. But according to the ICO paper, the legislation is all about giving consumers more control over their data while increasing the accountability of organisations. Focus on putting better safeguards in place to detect and deter breaches. This will raise the level of security and privacy protection across the board – and on a global basis.

Information destruction: With the GDPR’s ‘right to be forgotten’, organisations should not be keeping personal information for any longer than necessary and they must delete or remove the information at the owner’s request. With this in mind, workplaces should put processes in place so that they collect and keep only the confidential information that is needed for operations and compliance.